Wednesday, June 16, 2010

Law enforcement has apparently become an arm of AT&T and Apple

I feel like we are living in what I thought was the fictional world of the movie RoboCop. In that movie law enforcement is turned over to private company OCP with the cyborg RoboCop leading the way. We're not quite there yet, but these last few months have exposed a frightening ability of corporate America to get official law enforcement to do its bidding.

First a little background.

As everyone who reads this blog I am sure knows, several months ago, the Gadget blog Gizmodo purchased a then secret unreleased iPhone from someone who claimed to find it in a bar. Gizmodo then wrote a major article about the phone and then gave it back to Apple.

What has followed is an investigation by local police, kicked off with a search warrant executed on the home of Jason Chen editor of Gizmodo, looking for evidence to support a criminal case against him for "theft" of the already returned phone. They broke down his door, when he was not home, and took all of the computers out of his house.

Fast forward to last week.

On Wednesday, Gawker published an article about a major security flaw in iPads discovered by Goatse Security. Goatse did not publicize the security flaw until it had already been closed there was no opportunity for the flaw to be exploited. AT&T then blamed their security failure on the whistleblowers.

Unauthorized computer “hackers” maliciously exploited a function designed to make your iPad log-in process faster by pre-populating an AT&T authentication page with the email address you used to register your iPad for 3G service.

The fact that AT&T chooses to blame the people who found the problem and reported it is bad enough. It is pretty clear to everyone in the tech universe that what Goatse did was a service to the community and that blaming them is lame. But what follows is truly shocking.

Unfortunately, it gets worse. In executing the search warrant, the FBI found drugs, and arrested Auernheimer on possession charges. Now I have no idea if Auerheimer is an overall good guy. And I am not a drug user and personally dont like the idea. But the idea that the FBI gets to ransack your home because you told on some huge corporation who couldn't give a hoot about your security unless they are publicly embarrassed about it is the ultimate example of no good deed going unpunished.

And while there will be lots of talk in the coming days about AT&T, security, and the Goatse situation, I want to focus on a larger issue.

Why is it so easy for these huge private companies to get law enforcement to do their bidding?

In the Apple case, I'd really like to know how easy it would be to get a "task force" to search for evidence that *MY* **RETURNED** phone was "stolen".

Ridiculous.

The truth is that if you are just some regular schmo, and you go to the police and tell them your kid is missing, they will tell you you have to wait 24 hours, no matter how egregious the situation. But in the case of a lost but quickly returned phone, they have no problem sending in a crew of cops to ransack someone's house.

We all know that in the case of Apple, their beef isn't that Gizmodo bought the phone. Their beef is that Gizmodo wrote an article about their secret phone. If Gizmodo had bought the phone and returned it without writing the article, do you think there would be an investigation?

But Apple doesn't have a legal right to secrecy. They have to achieve that secrecy through vigilance. If they fail, there is no legal remedy unless it is some form of breach of contract in connection with a non-disclosure. It is certainly in no case criminal. But what law enforcement is really doing here is creating a punishment for having exposed Apple's secret, because even if they don't ultimately pursue a case, the horror of being searched and investigated by the police is a powerful deterrent.

To suggest anything else is patently absurd.

In the case of AT&T of course we don't yet know all the facts. But if things play out the way they look, its more of the same. Law enforcement is punishing someone for exposing an embarrassing corporate secret. This should not be the role of law enforcement in our society.

We should all have equal access to the law, and certainly there is no way in hell that I could get the police to investiate someone who returned my missing property. Ever. Of course I know that in this country you get as much access to the law as you can afford, but the fact that Apple can induce a criminal investigation that no regular person or even regular corporation could is scary.

Similarly, as far as I know, there has never been a case of the FBI investigating someone for exposing a security exploit even if they did so before the exploit had a chance to get fixed, which it did in this case. This case represents a new danger to all of us if security researchers are now punished for exposing their discoveries.

The bottom line is that if we are not careful, we are at grave risk of our freedoms being eroded. The usual concern about such issues is that government is too big. That is not my worry because no matter what, government will, by necessity, be big. My concern is who controls it. Because if Apple's or AT&T's vote counts more than mine and yours, we have a problem.

18 comments:

"Their beef is that Gizmodo wrote an article about their secret phone..."

I don't think that the phone was returned quickly, and I believe there were strings attached to it's return. Also, I believe that Engadget also published an article with photos of the prototype, and was not prosecuted in any way, which would argue against the idea that writing the article was the real problem.

To paraphrase... if you lose a phone and a week later after an article is written about it it is returned you think the police will investigate. Never. As far as prosecution there is likely not a case, so I am not surprised no official charges have been brought yet. The punishment is the investigation. Having your door knocked down and your computers and personal material taken is an *enormous* punishment.

I'd say I don't completely agree with you on this. I am not an Apple or ATT booster.

In the Gawker case: they paid $5000+ to somebody to delay the return of the phone, disassembled it (breaking it) and then tried to negotiate conditions for its return (extortion). It wasn't just a phone it was a trade secret. Is this something you would want to happen to you?

As far as the ATT case I do a agree with you. ATT is the one in the wrong. Nothing was hacked. ATT gave up info on a query interface that seemed to have no isolation and no password so I really wonder if there was any crime (even an invented crime of circumvention as their seemed to be nothing to circumvent). Actually there was one crime- criminal negligence on ATT's part.

The question of whether I would want it to happen is a separate question from whether there is a crime.

Regarding the "extortion" it was a request that apple say the phone was theirs. I think I would have a hard time walking into a police station or a DA and using that as the basis of an extortion case.

You see the point here is that what apple had the police do is something you or I could *never* get any police force to do. If this was regular proceeding for a lost but returned item then Ok. But with the exact same fact pattern neither you nor I could get the same outcome. And that is a problem.

- If I left a car (using a car here due to the value - it's not that it's a phone - it's that it's an item worth $5k+) unlocked in an unsafe area, it gets stolen, possibly taken apart, and then later returned to me, do you think the cops wouldn't investigate? Admittedly it may not be their top priority, but they will investigate. But you're missing another important aspect to this - the publicity factor. Apple may have gotten some extra attention to this due to their status, but Gizmodo certainly didn't help matters.

Going by the same respect, if I steal your car, sell it to someone else, who proceeds to take it apart, and post pictures of it on a highly visible site, then return it to me, do you not think the cops would investigate? If nothing more than to not provide the impression that it's ok to get away with this (something that regardless of whether you agree is pretty darn clear in California law?)

- As for the security aspect, I'd say the situation is not necessarily that it's AT&T, but rather the number of people either affected or likely affected by it.

If I find a security exploit / site vulnerability / etc, the generally accepted code of conduct is to let the vendor know and ideally give them time to do something about it. Of course, there's nothing saying I have to do this - I am fully within my rights to release the details of that exploit however I choose. What I am not permitted to do in any circumstance is to use said exploit to access confidential information as it appears the researcher(s) did in this circumstance, especially to the point of finding *all* of the instances in the dataset. I don't remember offhand if they did release the information discovered, but if they did that's what likely brought on the FBI. If they had found the same type of information by capitalizing on a similar set of vulnerabilities at, say a bank, you can be guaranteed the FBI would be all over them.

You may be right about the aspect that an individual typically wouldn't be able to get this level of attention for a similar issue (say, someone hacked your site and stole some info)- but if you happened to hold the personal information of 110k+ people, you're likely to get similar attention. The difference is if you legitimately have said quantities of info - you've probably already formed an entity that would be responsible for safeguarding that info. Said entity would likely contact the appropriate levels of law enforcement and get a similar response. However, what you might not get (and what you probably *don't* want) is the level of media attention following up on the story. We've also not heard about the inevitable lawsuits AT&T will face as a result of this mess.

I have personally been the victim of numerous acts of theft (stolen car, forged checks, stolen credit cards, etc). totaling a loss of several tens of thousands of dollars. I know the police pretty well by now. They've informed me that losses in a few thousands of dollars are *not* even investigated.

Hank is absolutely right. Of course Apple is getting special treatment.

Investigations take time and resources. Those are 2 things PDs are short on. While I feel sorry for your loss if the thieves had taken your things and posted on the internet pictures, their contact information and an overwhelming amount of incriminating evidence than it would be really hard for the police to ignore.

Fundamentally, that is the difference between your everyday theft and the Gizmodo incident.

While at the beginning I believed Gizmodo was wronged the more they talked about, the more evidence against them, the more I became convinced Jason Chen was no innocent. They were exhibiting classic symptoms of a guilty party: shifting story line, deflection of questions, blaming the victim (Apple Engineer).

Your information is incorrect. Goatse DID release the flaw before it was fixed. AND, they did USE IT to extract data, which is very illegal. If they had not used it, then there would be no problem. But they did use it and did illegally obtain data from AT&T systems. When people break laws, they get arrested. DUH!

Your information differs from that which is published elsewhere including TechCrunch. Can you please provide references? As far as extracting data, the information was on the public internet available without going through any encryption or password. This cannot be illegal or we are all in trouble.

You are 100% right. The only thing is that apple does not have a legal right to secrets. You get to keep a trade secret as with any secret, by keeping a secret. If you lose something, and someone reads it or sees it or takes a picture of it and word gets out, there is no legal remedy under laws around trade secrets, much less any *criminal* remedy.

About me

My name is Hank Williams. I have spent all of my professional career making products, including Clickradio, an early Internet music service, and DayMaker, one of the first personal information managers (address book, scheduling, task, notes, etc.) for the Mac.

I am now working on a new data and web development platform that will change humanity as we know it! This is my soap box.